Follow @USERNAME

workstations, PCs, and laptops with spyware and viruses. Regardless of
preventive steps, from gateway protection to automated scans to written Internet Use Policies, malware threats sneak through even layered defenses.What makes the situation worse is that
many clients aren't willing to invest in standalone anti-spyware software, even
though they understand the need for minimal antivirus protection.
Some IT professionals advocate simply
wiping systems and reinstalling Windows, while others suggest that's akin to
giving up and letting the bad guys win. The truth lies somewhere in between.
After making an image copy of the drive (it's always best to have a fallback
option when battling malicious infections), here are the measures I find most effective.
1.
ISOLATE THE DRIVE
Many rootkit and Trojan threats are
masters of disguise that hide from the operating system as soon as or before
Windows starts. I find that even the best antivirus and antispyware tools --
including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware -- sometimes struggle to remove
such entrenched infections.
You need systems dedicated to removal.
Pull the hard disk from the offending system, slave it to the dedicated test
machine, and run multiple virus and spyware scans against the entire slaved
drive.
2.
REMOVE TEMPORARY FILES
While the drive is still slaved, browse
to all users' temporary files. These are typically found within the
C:\Documents and Settings\Username\Local Settings\Temp directory within Windows
XP or the C:\Users\Username\App Data\Local\Temp folder within Windows Vista and
Windows 7.
Delete everything within the temporary
folders. Many threats hide there seeking to regenerate upon system startup.
With the drive still slaved, it's much easier to eliminate these offending
files.
3.
RETURN THE DRIVE AND REPEAT THOSE SCANS
Once you run a complete antivirus scan
and execute two full antispyware scans using two current, recently updated and
different anti-spyware applications (removing all found infections), return the
hard disk to the system. Then, run the same scans again.
Despite the scans and previous
sanitization, you may be surprised at the number of remaining active infections
the anti-malware applications subsequently find and remove. Only by performing
these additional native scans can you be sure you've done what you can to
locate and remove known threats.
4. TEST THE SYSTEM
When you finish the previous three
steps, it's tempting to think a system is good to go. Don't make that mistake.
Boot it up, open the Web browser, and immediately delete all offline files and
cookies. Next, go to the Internet Explorer Connection settings (Tools |
Internet Options and select the Connections tab within Internet Explorer) to
confirm that a malicious program didn't change a system's default proxy or LAN
connection settings. Correct any issues you find and ensure settings match
those required on your network or the client's network.
Then, visit 12 to 15 random sites. Look
for any anomalies, including the obvious popup windows, redirected Web
searches, hijacked home pages, and similar frustrations. Don't consider the
machine cleaned until you can open Google, Yahoo, and other search engines and complete
searches on a string of a half-dozen terms. Be sure to test the system's
ability to reach popular anti-malware Web sites, such as AVG,
Symantec, and Malwarebytes.
5.
Dig deeper on remaining infections

as redirected searches or blocked access to specific Web sites, try determining
the filename for the active process causing the trouble. Trend Micro's
HijackThis, Microsoft's Process Explorer, and Windows' native Microsoft System
Configuration Utility (Start | Run and type msconfig) are excellent
utilities for helping locate offending processes. If necessary, search the
registry for an offending executable and remove all incidents. Then, reboot the
system and try again.
If a system still proves corrupt or unusable,
it's time to begin thinking about a reinstall. If an infection persists after
all these steps, you're likely in a losing battle.
OTHER
STRATEGIES
Some IT consultants swear by fancier
tricks than what I've outlined above. I've investigated KNOPPIX as one
alternative. And I've had a few occasions in the field where I've slaved
infected Windows drives to my Macintosh laptop to delete particularly obstinate
files in the absence of a boot disk. Other technicians recommend leveraging
such tools as Reimage, although I've
experienced difficulty getting the utility to even recognize common NICs,
without which the automated repair tool can't work.
What methods do you
recommend for removing viruses and spyware from clients' machines? Post your
suggestions in the discussion below.
No comments:
Post a Comment